In theory, no more than any other vulnerability/virus/malware... if the system with the private keys/seed is running on an offline system, then the opportunity for "leaks" is pretty minimal... there ARE still attack vectors (compromised USB key etc), so it would probably be prudent to update.

It is good that Theymos created an announcement ticker which flashes whenever somebody visits bitcointalk. Electrum is one of the most popular wallets among newbies, because of its light-weight nature. The headline news regarding internet security has really been bad this week - first the security flaws in intel chips and now this.

I had a couple of questions regarding the type of attack using JSONRPC to fetch wallet details and to perform transactions:

1) If I use a firewall to block incoming connections on all ports except ones that I allow and considering that fact that my ISP doesn't allow open ports (I can't open ports through my router, hence I can't even host anything through my public IP) then would it still be possible for an attacked to use javascript to find my JSONRPC port and then perform transactions?

2) If I have encrypted my electrum wallet using a password, then am I safe considering that the attacker cannot steal my funds, view my seed or export my private keys? (I'm sure other wallet settings could be changed though).

[1] there is no error, and the site has been hacked to get everyone to down load the 3.0.4 which may have a backdoor in it.....

[2] or there is an error and the 3.0,4 site is hacked as well?

WARNING: This key is not certified with a trusted signature!gpg: There is no indication that the signature belongs to the owner.Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6

It's also recommended that all Firefox (or other Mozilla-based browser) users install the 'NoScript' browser extension. The website itself might look a little dated, but it's a good little plugin. It does take a while to get used to, but the extra security is worth the small learning curve. This will greatly reduce the general threat from malicious JavaScript while browsing online. Every website you visit can potentially allow any number of other linked websites to run malicious code through your browser. NoScript allows you to ensure that only the website you want to see can run code (and even then, only if you want it to) and block all the other, possibly dangerous, third party sites that might be linked through it.

1) If I use a firewall to block incoming connections on all ports except ones that I allow and considering that fact that my ISP doesn't allow open ports (I can't open ports through my router, hence I can't even host anything through my public IP) then would it still be possible for an attacked to use javascript to find my JSONRPC port and then perform transactions?

2) If I have encrypted my electrum wallet using a password, then am I safe considering that the attacker cannot steal my funds, view my seed or export my private keys? (I'm sure other wallet settings could be changed though).

There is no known way for them to steal your BTC in that case, though they can see your addresses/transactions and change your settings. I'm not sure (and maybe nobody yet fully knows) exactly how much damage they can do by changing your settings. So you should absolutely still update.

WARNING: This key is not certified with a trusted signature!gpg: There is no indication that the signature belongs to the owner.Primary key fingerprint: 6694 D8DE 7BE8 EE56 31BE D950 2BD5 824B 7F94 70E6

That's normal, it means that his key isn't connected to your GPG trust graph. Typically you would --lsign-key the key after verifying it through some other method. PGP is kind of weird.

Say I didn't touch my wallet or entered the password while the computer was connected to the internet, Am I considered safe? And If I don't touch it now untill I actually feel like I have to move some funds should I update to 3.0.4 and just use my normal wallet using the passphrase? So basically if I don't leave my electrum software on while in browser I'm basically safe?

Very bad news for Electrum users,there is a fix but I think in process of upgrade many may become victims of phishing sites which are shown sometimes at the top of search results like add from Google.So use only legit Electrum site : https://electrum.org/#home

I use Electrum only in combination with Ledger,is old version of Electrum can in any way compromise Ledger?I think answer is no,but I know that Electrum v3 is not working on Windows 7&8,any info is this fixed with 3.0.4 version?

If you use ElectronCash there is also upgrade to 3.1.1 with note that old version are not safe,probably Electrum for LTC&DASH need update too and before that it is not advisable to use them.

one important question: you say "mitigate". So 3.0.4 version doesn't solve completely this bug?

My understanding is that since the exploit utilises CORS, 3.0.4 simply disables CORS until a more permanent solution is found. It will make your wallet safe, but it's more of a stopgap than a solution. I think they use the word "mitigate" because it's possible some wallets may have already been compromised if they didn't have a password. This update obviously won't be able to undo any damage that has already been done.

Say I didn't touch my wallet or entered the password while the computer was connected to the internet, Am I considered safe? And If I don't touch it now untill I actually feel like I have to move some funds should I update to 3.0.4 and just use my normal wallet using the passphrase? So basically if I don't leave my electrum software on while in browser I'm basically safe?

as from the announcement by theymos if we dont use the electrum wallet without upgradingit will be fine and if we have a strong passphrase set up we are marginally less at risk.Lets see how this pans out but a safe bet would be to upgrade as per above advice.

**THANKS TO THEYMOS AND THE ADMINISTRATORS FOR ALL THE BACKGROUND WORK THAT GOES INTO THE WORKINGS OF THE FORUM AND FOR KEEPING EVERYONE SAFE!!

I don't know about the technicalities or how they are to hack the software with all the mnemonics attached. When I saw the flash message early in the day, I upgraded immediately and my wallet is already password protected. I hope everything is safe and everyone is able to stop panicking especially those who are not on the forum to read the warning and the progress that has been made. Electrum is one wallet that to a large extent has been able to create a niche for itself and I think vulnerability at this time will tarnish the over the years reputation.